module ActiveSupport::SecurityUtils
Public Class Methods
secure_compare(a, b)
click to toggle source
Constant time string comparison.
The values compared should be of fixed length, such as strings that have already been processed by HMAC. This should not be used on variable length plaintext strings because it could leak length info via timing attacks.
# File lib/active_support/security_utils.rb, line 11 def secure_compare(a, b) return false unless a.bytesize == b.bytesize l = a.unpack "C#{a.bytesize}" res = 0 b.each_byte { |byte| res |= byte ^ l.shift } res == 0 end
Private Instance Methods
secure_compare(a, b)
click to toggle source
Constant time string comparison.
The values compared should be of fixed length, such as strings that have already been processed by HMAC. This should not be used on variable length plaintext strings because it could leak length info via timing attacks.
# File lib/active_support/security_utils.rb, line 11 def secure_compare(a, b) return false unless a.bytesize == b.bytesize l = a.unpack "C#{a.bytesize}" res = 0 b.each_byte { |byte| res |= byte ^ l.shift } res == 0 end